I’ve recently joined a big financial firm as an Architect and we are in the process of designing our first Internet facing transactional e-commerce website (the current website is a mix of mostly static, a wee bit dynamic, CMS based information portal). As part of this design we are evaluating various Operating Systems (apart from firewalls, databases, programming languages and hosting options).

A bit more about the firm:

The firm currently uses products from a firm headquartered in Redmond for their intranet portals

Most of the programming work is outsourced to third-party software development shops

The ‘internal handlers’ of these projects within our firm are middle-management. These guys don’t have the technical knowhow to distinguish Linux from BSD. For them open source is Linux.

Since there is very little knowledge of open source – people are ‘afraid of open source’. It is mostly a fear of the unknown. The prevailing mindset is – if its security related, it can be solved by getting a Cisco Firewall.

The firm is genuinely concerned about security. In fact they are paranoid about it.

A bit About me:

Application developer for the past 10 years. Mostly Java – a bit of Lua. Dabbled a bit with systems – but by no means a competent system/network admin.

Been researching various OS’s for the last 2 years. FreeBSD and OpenBSD are my favorites because I like the clean, simple style of the systems. I prefer the BSD style licenses to GNU/GPL ones. I like OpenBSD for their uncompromising focus on security. I use OpenBSD + Xfce on my laptop (a Thinkpad). I also really like the OpenBSD people – Michael Lucas (and his books), Henning Brauer, Joshua (and this site), Ted, the Conformal guys (Marco and Dale) and Theo. I dont know any of them personally but I love their attitude towards systems and security. (Unrelated, but I’m also a Dan Bernstein fanboy)

Used Solaris and CentOS in production before.

Strongly believe OpenBSD and its family of tools (pf, OpenBGPD, OpenSSH, etc.) should be the platform on which we build our systems.

The Problem:

Convincing top management to choose OpenBSD.

Since I am new, I need to provide credible real world evidence of OpenBSD deployment successes – preferably in the Banking and Financial Services Industry. I can easily find details about this for, say, RHEL (red hat mentions on their website that RHEL is used on 80% of the world’s stock exchanges and cite NYSE and LSE as their clients). Does any such data exist for OpenBSD? I went through the ‘Products based on OpenBSD’ page and I could find a lot of Firewall/Router/Security firms but no BFSI data.

Has any of you here ever been in a similar position? How did you convince management to use OpenBSD?

My current proposal:

Mention that OpenBSD is one of the few OS' that has security as its primary focus.

Mention that an architecture composed of only OpenBSD boxes will be a much more elegant, auditable and maintainable system than cobbling together a Cisco router/firewall with some RHEL boxes.

Mention that we can hire top security guys – for example Henning – to design and review our network and security architecture.

NEVER mention cost as a deciding factor. Because the mentality here is to equate ‘free’ with ‘cheap’. Also, I have no intention to use it as a free system. I intend to push the firm to donate to the OpenBSD foundation.

What I am most afraid of is the following question – If it is so good, then why isn’t anyone in BFSI using it? Well the logical answer to that is that the security/firewall organizations are using them, and selling their products to the BFSI industry – but I don’t think its a strong enough answer.

One problem many companies have with open source is that there’s no “downhill” option. If something breaks, there’s no one they can call for support and pass the buck to and tell everyone that the vendor is working on it. With Cisco and Micros~1 you can get (expensive) support contracts and always have someone available to answer questions (even if that answer is often “it’s a bug, we’ll fix it in 9 months”).

Even if you’re personally capable of supporting these OpenBSD servers, it might help you make your case if you can get one of the OpenBSD consulting companies (not mine) to prepare a quote for supporting your servers. Even if you never have to use them, management might be more receptive to the idea if they know they can call someone in your absence or think that you have someone to call.

I’ve already included that in the proposal. I am leaning towards M:Tier for support and I want the network architecture to be reviewed by Henning.

I’m sure I’m not competent enough to troubleshoot serious issues – I may be able to do day to day monitoring and restart processes when they crash, or do some minor maintenance like rotate logs but I’ll have to delegate serious issues to someone else – someone who knows the system well.

If money isn’t really a problem, you buy a Cisco firewall and configure it to just pass traffic. Then install an OpenBSD system inline with the Cisco. This is kind of dirty, but a lot like my friend’s solution to “your application must use Oracle”. They created one table with one column and one row: a blob that happened to be a sqlite database.

The other trojan horse technique takes advantage of the fact that systems and requirements are constantly evolving. Build whatever they want now, but it’s always possible to migrate functionality around later when people aren’t paying attention.

The guy who takes over for you after you leave will, of course, want to hunt you down and kill you.

On a more serious note.. You could show them cases where OpenBSD was OOTB more secure than $linuxdistro. I can’t remember specifics ( read: my first google search didn’t find it ), but IIRC there was an example of this with Apache ( maybe 1.3, feels like it was in base ) a while back.